Vulnerability in EPiServer.Forms
CustomerContext.Current.CurrentContact.ContactCreditCards should return saved credit cards but it doesn't return any list or say length is always 0, even after saving one credit card entry through code.Also the Saved payment tab is not there in latest versions for Customer Contact, so is this functionality removed intentionally or in process?
To ReproduceRun this code and at first run there can be empty list of credit cards but after saving one it should show saved credit cards list.
var epiServerContext = CustomerContext.Current.CurrentContact;
var epiServerCreditCards1 = CustomerContext.Current?.GetContactCreditCards(epiServerContext);
var epiServerCreditCards2 = epiServerContext?.ContactCreditCards;
var creditCard = new CreditCard
LastFourDigits = Convert.ToString("1111"),
ExpirationMonth = Convert.ToInt32(12),
ExpirationYear = Convert.ToInt32(2023),
CardType = 1,
Checking the foundation code that credit card creation is different that what you've got, instead it's
var creditCard = Mediachase.Commerce.Customers.CreditCard.CreateInstance();
creditCard.ContactId = PrimaryKeyId.Parse(_customerService.GetCurrentContactViewModel().ContactId.ToString());
Can you try this and see if you still get the issue as foundation is using GetContactCreditCards(currentContact) as you are
Apologies Scott, I don't mean to hijack your response. Just going to add my 2 cents.
CreditCard class has actually been marked as obsolete. The reason is that it's not actually PCI compliant because its storing credit card information as plain text in the database. So I expect they will remove this soon. I can't remember what the time frame is from marking a class obsolete to it being removed from the codebase, maybe Scott can help shed some light on that. I would not recommend using this part of commerce and implement your own credit card persistence and have it conform to pci compliance standards.
In answer to your original question, it looks like when the credit card gets loaded from the database, it casts it to Mediachase.Commerce.Customers.CreditCard immediately but because the cast fails...you end up getting an empty list. This is all happening inside the GetContactCreditCards method.
Credit card type is now marked as absolete - as Surjit said. Storing card numbers is not PCI compliant, which is why it is not recommended anymore. (in most cases, you should be using an external payment provider and they will handle the card information for you, that's usually easier, safer and more future proof.
If you just want to to store information like the last 4 numbers of the card, you can add extra field to your order and store it there. (as a customer I think that feature is quite helpful because I know which card I used for that order).
If you absolutely need to store card information, you can try this, again, not recommended:
var creditcard = CreditCard.CreateInstance(); creditcard.CardType = (int)CreditCard.eCreditCardType.Visa;#pragma warning restore CS0618 // Type or member is obsolete creditcard.CreditCardNumber = "421698997636466"; creditcard.LastFourDigits = "6466"; _contact.AddCreditCard(creditcard); _contact.SaveChanges();